Bug 13870 - resteasy new security issue CVE-2014-3490
Summary: resteasy new security issue CVE-2014-3490
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/607779/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Reported: 2014-08-06 21:49 CEST by David Walser
Modified: 2014-12-26 18:05 CET (History)
3 users (show)

See Also:
Source RPM: resteasy-3.0.1-3.mga4.src.rpm
Status comment:


Description David Walser 2014-08-06 21:49:31 CEST
RedHat has issued an advisory today (August 6):

The RedHat bug has links to upstream commits and indicates it was fixed in 3.0.9:

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
David Walser 2014-08-06 21:49:38 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 15:47:57 CET
Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 21:45:28 CET
Probably on its way back to Cauldron, but it is fixed in SVN there.

Patch checked into Mageia 4 SVN.
Comment 3 David Walser 2014-12-24 23:43:22 CET
Patched package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.


Updated resteasy packages fixes security vulnerability:

It was found that the fix for CVE-2012-0818 was incomplete: external
parameter entities were not disabled when the
resteasy.document.expand.entity.references parameter was set to false.
A remote attacker able to send XML requests to a RESTEasy endpoint could
use this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks


Updated package in core/updates_testing:

from resteasy-3.0.1-3.1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 Herman Viaene 2014-12-26 10:06:38 CET
MGA4-64 on HP Probook 6555b
No installation issues, apart from the surprise that this package calls +400 dependencies on my fairly default KDE workstation installation.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 5 Herman Viaene 2014-12-26 10:30:32 CET
MGA4-32 on Acer D620 Xfce installation.
No installation issues, same surprise as above.

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 6 claire robinson 2014-12-26 10:52:02 CET
Validating. Advisory uploaded.

Please push to updates


Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2014-12-26 18:05:35 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.